U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:kanboard:kanboard:1.0.17
There are 27 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2023-36813

Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations, the code improperly uses the PicoDB library to update/insert new information. Version 1.2.31 contains a fix for this issue.

Published: July 05, 2023; 6:15:09 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-33970

Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a `missing access control` was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it's a personal project. This could also lead to private/critical information being leaked if such information is in the title. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: June 05, 2023; 4:15:09 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2023-33969

Kanboard is open source project management software that focuses on the Kanban methodology. A stored Cross site scripting (XSS) allows an attacker to execute arbitrary Javascript and any user who views the task containing the malicious code will be exposed to the XSS attack. Note: The default CSP header configuration blocks this javascript attack. This issue has been addressed in version 1.2.30. Users are advised to upgrade. Users unable to upgrade should ensure that they have a restrictive CSP header config.

Published: June 05, 2023; 4:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-33968

Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to a missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal. The vulnerable features are `Duplicate to project` and `Move to project`, which both utilize the `checkDestinationProjectValues()` function to check his values. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: June 05, 2023; 4:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-33956

Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any other user, regardless of their privileges or restrictions. By Changing the file_id any user can render all the files where MimeType is image uploaded under **/files** directory regard less of uploaded by any user. This vulnerability poses a significant impact and severity to the application's security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorized users. This includes confidential documents or any other type of file stored within the application. The ability to read these files can lead to various detrimental consequences, such as unauthorized disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: June 05, 2023; 4:15:09 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2023-32685

Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the `contentEditable` element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission to attach a document on a vulnerable Kanboard instance can trick the victim into pasting malicious screenshot data and achieve cross-site scripting if CSP is improperly configured. This issue has been patched in version 1.2.29.

Published: May 30, 2023; 1:15:11 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2019-7324

app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.

Published: February 04, 2019; 2:29:00 PM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2017-15212

In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.

Published: October 10, 2017; 9:32:55 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15211

In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.

Published: October 10, 2017; 9:32:55 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15210

In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.

Published: October 10, 2017; 9:32:55 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15209

In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.

Published: October 10, 2017; 9:32:55 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15208

In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.

Published: October 10, 2017; 9:32:55 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15207

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15206

In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15205

In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15204

In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15203

In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15202

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15201

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15200

In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.

Published: October 10, 2017; 9:32:54 PM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM